Cybersecurity incidents are a leading cause of operational disruption, liquidity stress, and value impairment, yet cyber maturity is one of the more underweighted variables in underwriting private credit. Middle Market companies may face high cyber exposure due to lean IT teams, constrained budgets, and reliance on third-party Software as a Service (SaaS) providers. For lenders, whose returns depend on uninterrupted cash flow and value preservation, cyber weaknesses increase default probability and impair recovery values. With ransomware impacting 48% of organizations in the past year, cyber diligence is more critical now than ever before.¹
Middle Market vs Large Enterprise: Cyber Risk Exposure²
The Cyber Maturity Gap
Cybersecurity maturity correlates strongly with company size. Compared to larger enterprises, Middle Market companies may lack formal governance, layered security controls, and tested recovery capabilities.
Cyber Maturity by Enterprise Size
Critically, smaller companies are less able to absorb cyber incidents. In the United States, the average cost of a data breach reached $10.22M in 2025, up 9% year over year³, often erasing multiple turns of cash-flow-based valuation and triggering covenant pressure.
Footnotes:
(1) Splunk 2025 CISO Report
(2) BD Emerson SMB Statistics, Coalition SMB Security Study 2024, Deloitte Global TPRM Survey
(3) IBM Cost of a Data Breach Report 2025
Primary Areas of Cyber Exposure
| 1. Third-Party & SaaS Dependency | Common weaknesses include: |
| Middle market companies may rely heavily on third party SaaS platforms for payroll, Enterprise Resource Planning (ERP), Client Relationship Management (CRM), logistics, and customer operations. While these tools enable scale, they materially expand digital exposure while limiting visibility into where data resides and how it is Protected. • The percentage of breaches where a third party was involved doubled in the past year, from 15% to 30%¹ • 75% of organizations experienced a SaaS data breach or incident in the last 12 months² | ❌ No formal vendor risk Assessments ❌ No review of SOC 2 or ISO security certifications (thirdparty controls audits) ❌ Inconsistent MFA (multi-factor authentication) beyond passwords for SaaS logins ❌ Overreliance on Managed Service Providers (MSP) without defined accountability |
COMPROMISE OF A PAYROLL PROVIDER, ERP SYSTEM, OR CUSTOMER-FACING SAAS PLATFORM CAN QUICKLY HALT OPERATIONS, DISRUPT REVENUE, & IMPAIR LIQUIDITY
| 2. Identity-Based Attacks & Phishing | Common weaknesses include: |
| Phishing remains the most common entry point for attackers, with small to medium businesses(SMB’s) representing the easiest targets.³ • 60% of breaches involve the human element⁴ • AI-driven phishing and voice cloning materially increase success rates • Business Email Compromise (BEC) – fraud via hijacked or impersonated email accounts– resulted in $2.77B in losses in 2024⁵ | ❌ Limited employee training ❌ Partial or absent MFA Enforcement ❌ No monitoring for abnormal login behavior |
IDENTITY FAILURES MAY LEAD TO FRAUDULENT WIRE TRANSFERS, PAYROLL DIVERSION, AND UNAUTHORIZED ACCESS – LOSSES THAT SMALL TO MEDIUM SIZED BUSINESSES OFTEN CANNOT RECOVER FROM
Footnotes:
(1) 2025 SecurityScorecard Global Third-Party Breach Report
(2) 2025 App Omni The State of SaaS Security Report
(3) DeepStrike 2025
(4) Verizon 2025 Data Breach Investigations Report
(5) FBI IC3 2025
| 3. Business Continuity & Disaster Recovery | Common weaknesses include: |
| Ransomware has been cited as the most financiallydamaging cyber threat to Middle MarketCompanies¹: • Cyberattacks on SMBs are up 16% in 2025,with avg. breach costs reaching $140,000² • Attackers increasingly target data backups first | ❌ No documented incident response plan ❌ Backups that are untested or non-immutable (cannot be altered or deleted by attackers) ❌ Lack of geographic redundancy |
EVEN A FIVE TO TEN-DAY OUTAGE CAN MATERIALLY IMPAIR EARNINGS, VIOLATE CONTRACTUAL OBLIGATIONS, & INCREASE DEFAULT RISK
| 4. Legacy Systems & Unsupported Tech | Common weaknesses include: |
| Many middle market companies continue tooperate on outdated ERP platforms, unsupportedoperating systems, or industry-specific legacyApplications.³: • 62% of organizations still rely on legacy ERP orindustry-specific platforms⁴ | ❌ End-of-Life (EoL) systems no longer supported or patched by Vendors ❌ No centralized inventory of deployed hardware & software |
LEGACY ENVIRONMENTS MATERIALLY EXPAND THE ATTACK SURFACE
| 5. Data Governance & Information Risk | Common weaknesses include: |
| Middle Market companies may lack accurateinventories of sensitive data or formal classification Procedures. • Formal data governance and data-lossprevention controls are associated with roughlya 30% reduction in breach likelihood⁵ | ❌ Sensitive or PersonallyIdentifiable Information(PII) a stored unencrypted in email or shared drives ❌ No formal data retention or data deletion procedures ❌ Limited visibility into user and file access behavior |
WEAK DATA GOVERNANCE INCREASES REGULATORY, LEGAL, AND REPUTATIONAL EXPOSURE THAT SMALLER COMPANIES ARE POORLY POSITIONED TO ABSORB
Footnotes:
(1) Resilience Midyear 2025 Cyber Risk Report
(2) Five Town Chamber of Commerce https://erc5.com/smb-cybersecurity-report-2025
(3) Saritasa, Legacy Software Modernization in 2025: Survey U.S. IT Professionals, 2025
(4) Saritasa, Legacy Software Modernization in 2025: Survey of U.S. IT Professionals, 2025
(5) Forrester, Total Economic Impact of Microsoft Purview, 2025
Managing Cyber Risk in the Middle Market
Why Cyber Risk Is a Financial Issue for Lenders
Cyber incidents can directly impair credit through operational disruption, liquidity strain, covenant breaches, reduced recovery values, and governance failures. Cyber risk is therefore a forward indicator of borrower resilience and should be considered as part of underwriting, pricing, and monitoring decisions.
Integrating Cyber Risk Into Underwriting
| Key Diligence Questions |
|
|---|---|
| Common Red Flags |
|
| Translating Findings Into Credit Terms |
|
| Improving Cyber Maturity | Minimum baseline controls for middle market borrowers include:
|
Conclusion
Cybersecurity is a material underwriting variable in private credit. Middle Market companies may face elevated cyber risk due to structural underinvestment, operational complexity, and limited resilience. For lenders, cyber incidents drive liquidity stress, impair cash flow, and materially reduce recoveries. Cyber maturity is an underutilized and underappreciated competitive advantage in credit underwriting and portfolio construction.
Disclosures
Past Performance is not indicative of future results Institutional Use Only
Prospect Capital Management L.P. (“Prospect”) is an SEC registered investment adviser that was founded in 1988 (along with its predecessors). Prospect invests across the United States in diversified portfolios by industry, company, and situation, and its proprietary underwriting process and metrics have been developed over more than 30 years and through multiple economic cycles. Prospect has over 150 employees and $9.8 billion** of assets under management as of September 30, 2025. With a buy-and-hold mentality, Prospect’s objectives are to preserve capital by making credit and equity-focused investments at reasonable multiples of recurring cash flow, earn attractive current cash yields and long-term capital appreciation while achieving consistent low-volatility returns. For more information, call 212.448.0702 or visit prospectcap.com
**The $9.8 billion of Assets Under Management (“AUM”) refers to the assets managed by Prospect and its affiliated registered investment advisors. AUM equals the sum of: (i) the gross assets of (a) Prospect Capital Corporation (“PSEC”), Priority Income Fund, Inc. (“PRIS”), Prospect Floating Rate and Alternative Income Fund, Inc. (“PFLOAT”), Prospect Credit REIT, LLC (“PCRED”), and Prospect Enhanced Yield Fund (“PENF”), and (b) pooled investment vehicles with respect to discrete assets for which Prospect has non-discretionary authority, (ii) any amounts available to be borrowed under certain credit facilities of the investment companies, (iii) total managed assets for real estate and structured credit investments, and (iv) uncalled capital commitments. Prospect’s AUM measure includes assets under management for which Prospect charges either nominal or zero fees. Prospect’s definition of AUM is not based on any definition of assets under management contained in any management agreements of the investment companies Prospect manages. Given the differences in the investment strategies and structures among other investment advisors, Prospect’s calculation of AUM may differ from the calculations employed by other investment managers and, as a result, this measure may not be directly comparable to similar measures presented by other investment managers. Prospect’s calculation also differs from the manner in which Prospect and its affiliates registered with the SEC report “Regulatory Assets Under Management” ($7.3 billion) on Form ADV.
This information is educational in nature and does not constitute an offer to sell or the solicitation of an offer to buy any securities. Prospect is not adopting, making a recommendation for or endorsing any investment strategy or particular security. All opinions are subject to change without notice, and you should always obtain current information and perform due diligence before participating in any investment. All investing is subject to risk, including the possible loss of principal. Prospect cannot guarantee that the information herein is accurate, complete or timely. We make no representation or warranty in respect of any information derived from the third-party sources which has not been independently verified.
If you have any questions, please reach out to Mark Whitford (mwhitford@prospectcap.com) or
Hugo Francis (hfrancis@prospectcap.com)
